linux-stable

History

Liu Jian 35f5e70bdf net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory [ Upstream commit `3f8ef65af9` ] Fixes the below NULL pointer dereference: [...] [ 14.471200] Call Trace: [ 14.471562] <TASK> [ 14.471882] lock_acquire+0x245/0x2e0 [ 14.472416] ? remove_wait_queue+0x12/0x50 [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50 [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50 [ 14.474318] ? remove_wait_queue+0x12/0x50 [ 14.474907] remove_wait_queue+0x12/0x50 [ 14.475480] sk_stream_wait_memory+0x20d/0x340 [ 14.476127] ? do_wait_intr_irq+0x80/0x80 [ 14.476704] do_tcp_sendpages+0x287/0x600 [ 14.477283] tcp_bpf_push+0xab/0x260 [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500 [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0 [ 14.479096] tcp_bpf_send_verdict+0x105/0x470 [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0 [ 14.480311] sock_sendmsg+0x2d/0x40 [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0 [ 14.481390] ? copy_msghdr_from_user+0x62/0x80 [ 14.482048] ___sys_sendmsg+0x78/0xb0 [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150 [ 14.483215] ? __do_fault+0x2a/0x1a0 [ 14.483738] ? do_fault+0x15e/0x5d0 [ 14.484246] ? __handle_mm_fault+0x56b/0x1040 [ 14.484874] ? lock_is_held_type+0xdf/0x130 [ 14.485474] ? find_held_lock+0x2d/0x90 [ 14.486046] ? __sys_sendmsg+0x41/0x70 [ 14.486587] __sys_sendmsg+0x41/0x70 [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350 [ 14.487822] do_syscall_64+0x34/0x80 [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] The test scenario has the following flow: thread1 thread2 ----------- --------------- tcp_bpf_sendmsg tcp_bpf_send_verdict tcp_bpf_sendmsg_redir sock_close tcp_bpf_push_locked __sock_release tcp_bpf_push //inet_release do_tcp_sendpages sock->ops->release sk_stream_wait_memory // tcp_close sk_wait_event sk->sk_prot->close release_sock(__sk); * lock_sock(sk); __tcp_close sock_orphan(sk) sk->sk_wq = NULL release_sock ** lock_sock(__sk); remove_wait_queue(sk_sleep(sk), &wait); sk_sleep(sk) //NULL pointer dereference &rcu_dereference_raw(sk->sk_wq)->wait While waiting for memory in thread1, the socket is released with its wait queue because thread2 has closed it. This caused by tcp_bpf_send_verdict didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1. We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory before accessing the wait queue. Suggested-by: Jakub Sitnicki <jakub@cloudflare.com> Signed-off-by: Liu Jian <liujian56@huawei.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: John Fastabend <john.fastabend@gmail.com> Cc: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/bpf/20220823133755.314697-2-liujian56@huawei.com Signed-off-by: Sasha Levin <sashal@kernel.org>		2022-10-24 09:58:15 +02:00
..
Makefile	net: kunit: add a test for dev_addr_lists	2021-11-20 12:25:57 +00:00
bpf_sk_storage.c	net: Fix data-races around sysctl_optmem_max.	2022-08-31 17:18:08 +02:00
datagram.c	tcp: TX zerocopy should not sense pfmemalloc status	2022-09-15 10:47:15 +02:00
dev.c	bpf: Don't redirect packets with invalid pkt_len	2022-09-05 10:31:28 +02:00
dev.h	net: add skb_defer_max sysctl	2022-05-16 11:33:59 +01:00
dev_addr_lists.c	net: extract a few internals from netdevice.h	2022-04-07 20:32:09 -07:00
dev_addr_lists_test.c	net: kunit: add a test for dev_addr_lists	2021-11-20 12:25:57 +00:00
dev_ioctl.c	net: extract a few internals from netdevice.h	2022-04-07 20:32:09 -07:00
devlink.c	devlink: Fix use-after-free after a failed reload	2022-08-25 11:45:16 +02:00
drop_monitor.c	net: dm: check the boundary of skb drop reasons	2022-05-16 10:47:43 +01:00
dst.c	net: dst: add net device refcount tracking to dst_entry	2021-12-06 16:05:10 -08:00
dst_cache.c	wireguard: device: reset peer src endpoint when netns exits	2021-11-29 19:50:45 -08:00
failover.c	net: failover: add net device refcount tracker	2021-12-06 16:06:02 -08:00
fib_notifier.c	net: fib_notifier: propagate extack down to the notifier block callback	2019-10-04 11:10:56 -07:00
fib_rules.c	fib: expand fib_rule_policy	2021-12-16 07:18:35 -08:00
filter.c	net: Fix data-races around sysctl_optmem_max.	2022-08-31 17:18:08 +02:00
flow_dissector.c	flow_dissector: Do not count vlan tags inside tunnel payload	2022-10-24 09:57:12 +02:00
flow_offload.c	netfilter: nf_tables: bail out early if hardware offload is not supported	2022-06-06 19:19:15 +02:00
gen_estimator.c	net: sched: Remove Qdisc::running sequence counter	2021-10-18 12:54:41 +01:00
gen_stats.c	net: sched: fix misuse of qcpu->backlog in gnet_stats_add_queue_cpu	2022-08-25 11:45:33 +02:00
gro.c	net: allow gro_max_size to exceed 65536	2022-05-16 10:18:56 +01:00
gro_cells.c	net: Fix data-races around netdev_max_backlog.	2022-08-31 17:18:08 +02:00
hwbm.c	net: hwbm: Make the hwbm_pool lock a mutex	2019-06-09 19:40:10 -07:00
link_watch.c	net: extract a few internals from netdevice.h	2022-04-07 20:32:09 -07:00
lwt_bpf.c	bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook	2022-04-22 17:45:25 +02:00
lwtunnel.c	lwtunnel: Validate RTA_ENCAP_TYPE attribute length	2021-12-31 14:31:59 +00:00
neighbour.c	net: neigh: don't call kfree_skb() under spin_lock_irqsave()	2022-09-05 10:31:36 +02:00
net-procfs.c	net: extract a few internals from netdevice.h	2022-04-07 20:32:09 -07:00
net-sysfs.c	net: fix data-race in dev_isalive()	2022-06-17 10:59:31 +01:00
net-sysfs.h	net-sysfs: add netdev_change_owner()	2020-02-26 20:07:25 -08:00
net-traces.c	tcp: add tracepoint for checksum errors	2021-05-14 15:26:03 -07:00
net_namespace.c	net: initialize init_net earlier	2022-02-06 11:04:29 +00:00
netclassid_cgroup.c	bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode	2021-09-13 16:35:58 -07:00
netevent.c	net: core: Correct function name netevent_unregister_notifier() in the kerneldoc	2021-03-28 17:56:56 -07:00
netpoll.c	netpoll: add net device refcount tracker to struct netpoll	2021-12-06 16:06:02 -08:00
netprio_cgroup.c	bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode	2021-09-13 16:35:58 -07:00
of_net.c	Revert "of: net: support NVMEM cells with MAC in text format"	2022-01-12 14:14:36 +00:00
page_pool.c	net: page_pool: add page allocation stats for two fast page allocate path	2022-05-13 11:28:55 +01:00
pktgen.c	proc: remove PDE_DATA() completely	2022-01-22 08:33:37 +02:00
ptp_classifier.c	ptp: Add generic PTP is_sync() function	2022-03-07 11:31:34 +00:00
request_sock.c	tcp: add rcu protection around tp->fastopen_rsk	2019-10-13 10:13:08 -07:00
rtnetlink.c	net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg	2022-08-25 11:45:33 +02:00
scm.c	memcg: enable accounting for scm_fp_list objects	2021-07-20 06:00:38 -07:00
secure_seq.c	tcp: Fix data-races around sysctl knobs related to SYN option.	2022-07-20 10:14:49 +01:00
selftests.c	net: core: constify mac addrs in selftests	2021-10-24 13:59:44 +01:00
skbuff.c	net/core/skbuff: Check the return value of skb_copy_bits()	2022-09-15 10:47:09 +02:00
skmsg.c	skmsg: Schedule psock work if the cached skb exists on the psock	2022-10-24 09:57:13 +02:00
sock.c	net: Fix a data-race around sysctl_net_busy_read.	2022-08-31 17:18:09 +02:00
sock_destructor.h	skb_expand_head() adjust skb->truesize incorrectly	2021-10-22 12:35:51 -07:00
sock_diag.c	net: Don't include filter.h from net/sock.h	2021-12-29 08:48:14 -08:00
sock_map.c	bpf: Acquire map uref in .init_seq_private for sock{map,hash} iterator	2022-08-25 11:45:14 +02:00
sock_reuseport.c	tcp: Fix data-races around sysctl_tcp_migrate_req.	2022-07-18 12:21:54 +01:00
stream.c	net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory	2022-10-24 09:58:15 +02:00
sysctl_net_core.c	net: Fix data-races around weight_p and dev_weight_[rt]x_bias.	2022-08-31 17:18:08 +02:00
timestamping.c	net: Introduce a new MII time stamping interface.	2019-12-25 19:51:33 -08:00
tso.c	net: tso: add UDP segmentation support	2020-06-18 20:46:23 -07:00
utils.c	net: core: Use csum_replace_by_diff() and csum_sub() instead of opencoding	2022-02-21 11:40:44 +00:00
xdp.c	Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next	2022-03-22 11:18:49 -07:00